Investigator ZachXBT reported a $10 million exploit against the cross-chain liquidity protocol THORChain this week. Fund movements suggested the breach, leading THORChain to halt its trading activity.
ZachXBT initially estimated losses at $7 million before revising the figure upwards. Crypto security firms have since confirmed the exploit. PeckShieldAlert, a prominent firm, stated the attacker stole $3 million in Bitcoin and approximately $7 million in other crypto assets from BNBChain, Ethereum, and Base networks.
ZachXBT listed three theft addresses associated with the incident: bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37, 0x82fc0d5150f3548027e971ec04c065f3c93154eb, and 0xd477b69551f49c0519f9b18c55030676138890bd. Another crypto investigator, known as "tanuki42," claimed the exploiter's gas funds came from the bridging protocol Wagyu xyz.
Neither THORChain's official X account nor that of its founder, John-Paul Thorbjornsen, has released a statement regarding the exploit. THORChain had previously paused its lending and savings services, but officials characterized that $200 million restructure as "no big deal." The exact cause of the current exploit remains unclear.
This event follows recent claims about THORChain's connections to North Korea. Earlier this week, crypto researcher "meow mfer" alleged that THORSwap, described by THORChain as its "leading multi-chain decentralized exchange aggregator," hired a suspected North Korean IT worker.
Meow mfer detailed that this individual had at least three pull requests merged into the official SwapKit repository, the core SDK for THORSwap's cross-chain infrastructure. The researcher indicated the individual built wallet integration code for THORSwap. The same worker also reportedly developed "MEV extraction tools" and possessed concealment software linked to North Korean state actors.
Last year, Thorbjornsen's personal wallet was drained of $1.2 million in crypto assets. THORSwap offered a bounty for information on that hack. ZachXBT attributed the earlier theft to North Korea, writing at the time that Thorbjornsen "has greatly benefited financially from the laundering of DPRK hacks/exploits." He suggested a degree of "poetic" justice in the founder's own wallet being compromised by the DPRK.
Funds stolen by North Korean entities frequently move through THORChain and its associated services. These transactions have generated considerable profits for the protocol and its founders over time.
As of this report, THORChain's trading services remain suspended.